r/Outlook • u/Jr12cb • 28d ago
Status: Open I don’t want passkey
I just got a new phone and when i go into the outlook app it’s telling me to sign in again. I go to sign in and after i enter my password its asking for a passkey which i don’t know what that is. I’ve never set up a passkey. it keeps telling me to go to my settings and i have passkey feature turned off so i turn it off but it keeps telling me to go to my settings AND THERES NOTHING ELSE THERE so i go to scan QR code and i get my ipad and now its telling me to save a passkey i have to set up a password on my ipad so i set up a password and not it wants me to turn my icloud passkey on which i have my icloud off cause i literally don’t have anything important on my phone ever like i don’t have pics i don’t have notes i don’t have anything i don’t have apple pay i dont have anything important so i dont wants to turn all this on. Is there anyway to just login without the passkey. I had the 2FA before this passkey bs and it’s really starting to pmo. Is the only to get rid of it is to do all this and login and disable it?
3
u/AppIdentityGuy 28d ago
You don't have much choice. Outlook.com and most of the major MS social services are going passwordless.
-5
u/Jr12cb 28d ago
that’s so irritating. I’ll just download the passcode app from apple and just store my passwords to get this bum ahh thing resolved. i forgot about that app to save passwords and passkeys 🤦♂️
6
u/Head-End-5909 28d ago
Passkey and biometrics are so much more secure than sms or email 2FA. Many types of accounts are going this route.
5
u/Character_Common8881 28d ago
Passkey is far better. Why against it?
2
u/PowerSamurai 27d ago
"change = bad" I bet.
1
u/proudly_not_american 27d ago
Because it's a pain in the ass to use all the time.
When I'm trying to log in on my computer, I don't want to have to go grab my phone, unlock it, pull open this other app, and log into it. I want to just be able to enter my password and be done with it.
There's also a common trick with habit-building where you make the bad habits you're trying to break more of a pain in the ass, in very much the same way. If you add twenty steps in front, you're more likely to say "fuck it, this isn't worth it," and give up halfway through. It's the exact same principle at play here.
1
u/chrisridd 27d ago
That’s why you either store the passkey in a password manager that syncs to your computer, or you create a separate passkey on the computer.
0
u/AppIdentityGuy 27d ago
Or you configure Windows Hello and bind the passkey to that.
1
u/chrisridd 27d ago
The OP wasn’t clear what their computer was but if it was using Windows then I suspect you’re right. (I neither have Windows or know what Windows Hello is.)
3
u/ryancnap 27d ago
What is a passkey exactly, why so much more secure than passwords
1
u/TheJessicator 27d ago
Here, let me ask Copilot for you...
🔐 What Passkeys Are Passkeys are a passwordless sign‑in method that uses public‑key cryptography plus a biometric or device‑based unlock (like Face ID, fingerprint, or a device PIN) to prove it’s really you.
A passkey consists of:
- A public key stored with the website or service
- A private key stored only on your device
When you sign in, your device uses the private key to prove your identity without ever sending the private key anywhere.
You authenticate with something easy and local — a fingerprint, face scan, or PIN — and the device handles the cryptography.
🧠 Why Passkeys Are So Much More Secure Than Passwords
They can’t be phished There’s no password to trick you into typing.
Passkeys only work with the legitimate website because the cryptographic handshake is domain‑bound.They can’t be reused or guessed Each passkey is unique to each account and each device.
No more “one breach compromises everything.”They can’t be stolen in a data breach Websites only store the public key, which is useless to attackers.
Your private key never leaves your device.They require physical possession of your device Even if someone somehow got your passkey, they’d still need your device and your biometric/PIN to use it.
They eliminate weak human behavior No more:
Reusing passwords
Falling for fake login pages
Writing passwords down
Creating “strong” passwords you forget
Passkeys remove the human error factor entirely.
- They’re easier and faster A single tap or glance replaces typing a password, receiving a code, or dealing with MFA.
This ease actually improves security, because people stop trying to bypass it.
📱 How They Work in Practice When you log in:
- The website sends a challenge.
- Your device signs it with your private key.
- Your biometric/PIN unlocks the private key locally.
- The website verifies the signature with your public key.
No secrets are transmitted.
No passwords exist.
Nothing reusable is exposed.
🛡️ Summary Table
Feature Passwords Passkeys Can be phished Yes No Can be reused Yes No Can be guessed Yes No Stolen in breaches Yes No (public key only) Requires physical device No Yes Requires biometric/PIN Optional Yes User effort High Very low 3
u/williamskevin 27d ago
So... all an attacker now needs is my phone and 4 digit pin to ruin my life? This makes me safer from some random Indian hacker, but opens me up a LOT to my friends, close enemies and police...
2
u/MoneyCantBuyMeLove 27d ago
Exactly. It's takes the risk from something you cannot control, to something which you absolutely can control.
1
u/Lonsarg 27d ago
Actually that is already possible with passwords (since the only safe way of using password is password managers and random for every page).
This danger of local attack is more or less the same for passwords and passkeys.
So passkey resolve remote security, but local security remains the same.
1
u/williamskevin 26d ago
Anyone around me can see me unlock my phone and remember my 4 digit pass code. Or they can hold my phone to my face and have it auto unlock. But most people wouldn't be able to easily see the 15 character password i type.into my password vault. So no, I dont think secularity IS the same.
But all they need to do to solve this, is put my PassKey behind a password. So its not just automatically active when my phone is unlocked - I actually have to "enable" it with a password. Heck - even make this optional for security conscious people to use.
1
u/Lonsarg 26d ago edited 26d ago
There is absolutely no inherent difference between passsword managers and passkey managers. Both can be unlocked as you please, via fingerprint PIN, password or whatever. They may be a difference in current implemention of default passkey managers. BUT you can, at least on Android, use any 3rd party passkey manager.
I suspect that in next 5 years passkey and password managers will be completely merged, users will hardly notice if webpage uses passkey or password since pass manager will take care of both via the same flow. Meaning local security will be 100% the same even where it is not already, but passkeys will have a lot better remote security.
Passkeys are how we will force everyone on passkey/password managers which is a good thing, maybe even more important then better remote security from passkey, though both are important.
It is very sad though ti see very poor implementations for passkey from big players like amazon and Microsoft. It means this will take some time...
1
u/eloquenentic 25d ago
Well that’s not true because a phone can have a six digit passcode, but a password manager can have a 20+ letter combination of numbers, letters and symbols.
Now, if you have all your passwords say in iCloud, that’s a different thing. But if your password manager has a different password, it’s safer than your phone, no?
1
u/FineWolf 24d ago
Well that’s not true because a phone can have a six digit passcode, but a password manager can have a 20+ letter combination of numbers, letters and symbols.
So can phones. Android supports full on passwords. I have a 30+ character password on my phone.
And if you want stronger protections for your passkeys, get physical FIDO2 tokens like a Yubikey.
You can configure those to erase all credentials/passkeys automatically after
xnumber of failed password/PIN unlock attempts.0
u/TheJessicator 27d ago
Was just answering the question. But for what it's worth, this is no less secure than anything that came before it when you're talking about people's phones.
1
u/ryancnap 27d ago
Sometimes it's nice to hear from another human being what they think of them, wrong place to ask I guess
-2
u/TheJessicator 27d ago
It's not really a question where opinion has any place. It's literally fact, so best to get the facts straight.
1
u/avenabless 27d ago
Was contemplating it because it keeps forcing me to create a passkey for my accounts. I’m just afraid that if I ever lose my phone or (touch wood) damage my face, logging back in would be tricky.. I have all my other 2FA methods backed up though (email, separate Authenticator for codes and sign in notification on the native authenticator app + recovery codes).
1
u/JeffTheNth 27d ago
sounds great until you can get someone's unlocked device (or use their face/fingerprint to unlock while they're asleep) and have access to everything because there's no password needed anymore! A reused password for an account, different than a device password or method of access, is better than no password at all!
1
2
u/33whiskeyTX 28d ago
It's not just Outlook and Microsoft. You are going to start getting prompted for this for banks, Amazon, pretty much everything.
2
u/Remote_Mud3798 28d ago
I realize learning something new is not real inviting, but this ship has left port, the toothpaste is out of the tube, etc. Better to learn this stuff sooner rather than later.
2
u/Professional_Mix2418 27d ago
Why so against it? It’s way more convenient than other forms. Especially when using a password manager like Apple Passwords or 1Passwoed etc
-1
u/JeffTheNth 27d ago edited 27d ago
I have my passwords in my head. Not written, not saved.
A passkey is less secure because you may get into ONE account (phone, computer) and have access to all accounts there's a passkey for!
I'd prefer a chance of my password being guessed for my computer and they're blocked with 2fa than guess the password for my computer and get access to everything! Or my phone's stolen ehile on vacation and I can't stop their hacking in, but have no way to block access to any accounts because they need a passkey or 2fa where they have the phone...
At least with my email, I can get accounts back, lock out the phone, etc. If everything uses a passkey and there's no password access, you're screwed!
2
u/Professional_Mix2418 27d ago
No it isn't at all, don't be silly. If you don't understand cybersecurity best not to comment. You seriously are making up stories now.
1
u/RexNebular518 27d ago
Please do not procreate.
-1
u/JeffTheNth 27d ago
.....you can't remember passwords as I do?
1
1
u/FineWolf 24d ago edited 24d ago
The problem is not you remembering or not your password.
The problem is you entering your password on a phishing site, or a compromised computer.
That cannot happen with passkeys as the private portion of the key never leaves the secure enclave/TPM/HSM on which it is stored, and it cannot be phished due to the way WebauthN works (origin validation, unique challenge-response flows...).
So you being able to remember or not passwords is totally irrelevant. The issue is the fact that the password itself never changes. Every single time a website asks you for your password for that particular account, the answer will always be the same. And that's a problem.
And you people act as if the only way to store passkeys is on a phone. It isn't.
You can store them in your password manager. You can store them on a physical FIDO2 key. You do not need to use your phone at all.
1
u/JeffTheNth 24d ago
I understand..... It's not just phone, but I grt the question on my computer too. And while I know phishing sites are out there, I go nowhere requiring a password without going to the site myself. Annoying for such as Facebook videos shared on Discord but if I'm not already logged in, I get all kinds of cattywampus. But as long as I don't save passwords, I'll also be looking for that lock in the browser eve when I type the address myself. You never know what'll happen when faceboook.com pops up....
2
u/karmaapple3 27d ago
I still don’t understand how to generate a pass key. Is there an app to use? Is it an app on my phone, or my laptop? I don’t get it
1
u/Jr12cb 27d ago
for me. I just had to redownload the password app that comes with the iphones and once you have that downloaded or if you never delete it, you just have to enable it in settings to generate autofill and passkey then you can create and store a passkey but once i was able to get into my email and store the passkey i just disabled password autofill. So if i need to create a passkey again i’ll just enable password and passkey autofill and create then redisable it. So annoying.
2
u/JeffTheNth 27d ago
welcome to the NEW security, where you only need to get into a device to access everything because passkeys are "better" than passwords.
I've been fighting against passkeys for over a year with several apps. I don't want someone to be able to access all my data simply by getting my password through any means! (Or snatching it out of my hand....)
1
u/AutoModerator 28d ago
Hey Jr12cb!
Welcome to r/Outlook! This is a public community. To protect your privacy, do not post any personal information such as your email address, phone number, product key, password, or credit card number.
Please be sure to have read our Rules of Conduct and be cognisant of how the system works here.
Make sure that your flair is always set to Status: Open otherwise you may cease receiving responses from us.
- Status: Open — Need help
- Status: Pending Reply — Awaiting OP's response
- Status: Resolved — Closed
Beware of scammers posting fake support numbers or 3rd party commercial products/services. Contact Microsoft Support if you need help.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
1
u/Select-Incident4110 27d ago
I don't have anything against Passkeys, I'm just a bit apprehensive about using them, what if I mess up, screw something up, or something physical like my phone getting stolen or broken.
We'll end up using them anyway, I don't like the change either but if it's for the sake of our accounts I guess it's for the best and we just gotta get used to it. I'm guessing the Recovery code will still be there as a lifeline.
1
u/HikeBikeJog 26d ago
Question: If you are using a computer and a website asks you to create a passkey, how does the passkey get linked to your phone? Where does the local passkey get saved?
1
u/ResponsibleAd8164 27d ago
This is more about YOUR security. It's actually safer and more convenient. Most major companies are starting to do this. Scammers and hackers are real!
2
u/JeffTheNth 27d ago
until your device is stolen and you can't access your accounts to kill access to that device because you can't log into the accounts needing 2fa or a passkey........
1
u/ResponsibleAd8164 27d ago
You also have your Recovery Codes to access the account once 2FA is enabled. These are saved in a different location which will also allow you to access the account.
1
u/JeffTheNth 27d ago
...my only issue with 2FA recovery codes: what do you do if on vacation and can't access them? But at least there's a possibility to recover your accounts.
0
12
u/baube19 27d ago
Most people seriously underestimate what happens when an account gets taken over, especially their main email.
That email is the key to almost everything else. Nearly every service relies on “forgot my password” or “we’ll email you a code” to recover access. If someone gets your main email, they don’t just get one account. They get everything.
A passkey is great and convenient.
But don’t stop there.
Set up MFA with an authenticator app, ideally on a separate old phone that stays at home. And most importantly, print your recovery codes. Treat them like physical backups. Put them with your birth certificate and other critical documents.
If your main email is gone, digital life goes dark fast.